SOX News

AS5 May not be Helping Companies to Streamline SOX Compliance: Compliance Week Survey

(March 05, 2008)-- “Companies appear to be saying that they’ve already made most of their improvements related to SOX and financial reporting,” says Matt Kelly, editor-in-chief of Compliance Week on the release of Compliance Week Survey results.

“Any additional improvements will be marginal, and certainly not as dramatic as regulators and standard setters claimed when releasing AS5.” added Kelly.

Exclusive new research from Compliance Week shows companies that made improvements to their internal control over financial reporting in the wake of The Sarbanes-Oxley Act of 2002 (SOX) are expecting fewer improvements over time. The results also suggest that Auditing Standard No. 5 (AS5)—a new, more relaxed auditing standard approved last year by the Securities and Exchange Commission—may not be helping to streamline SOX compliance as much as hoped.

A Compliance Week survey of nearly 300 public companies finds that three-quarters reduced their number of “key controls” significantly during their first year of meeting SOX requirements—with 14 percent of them reducing key controls by between 60 and 80 percent. “Key controls” are the internal checks and balances that companies use to ensure that their financial reporting processes are timely and reliable. Section 404 of Sarbanes-Oxley required that companies assess their controls and that auditors sign off on the effectiveness of those controls. In theory, as a company reduces the number of key controls, it simplifies its financial reporting process, decreases the risk of error or financial misstatement, and reduces the cost of SOX compliance.

While most companies did indeed report that they had simplified their key controls, more than half of respondents to the Compliance Week survey said they expect to reduce their key controls by no more than 10 percent going forward. Another one-fourth of them anticipate achieving a drop of only 10 to 20 percent. In total, the results suggest that more than 80 percent of companies expect no better than a 20 percent reduction in key controls going forward.

The results spotlight one of the most pressing questions in the financial reporting community: whether the Public Company Accounting Oversight Board’s AS5 will have long-term dramatic impact. The Board and the SEC have encouraged companies to be more selective in what they define as key controls, and have urged companies and auditors to take a “top-down, risk-based” approach to identifying key risks to the financial statements. Before AS5 was released, many companies felt that auditors were taking an overly aggressive approach to Section 404 of Sarbanes-Oxley, testing and assessing all controls regardless of their potential impact on reliable financial reporting. Now, the question of scope—namely, how many controls should be documented, tested, and assessed—weighs heavily on both parties.

“This judgment call is going to be an ongoing dance between companies and auditors,” Kelly says. “However, the survey appears to state that companies are skeptical that they will be in the lead over the next few years.”

Other findings from the Compliance Week key controls survey include:

* The median number of key controls at respondents’ companies was 297, although the actual range varied widely. For example, the average number of key controls for companies with revenue greater than $50 billion was 1,567, but respondents’ specific answers in that group range from only a few hundred to as many as 5,000.
* Not surprisingly, companies in complex and highly regulated industries (financial services, for example) had more key controls than other industries.
* Large companies, whether ranked by revenue or employees, had more controls than smaller companies.
* While the sample sizes are small, the type of enterprise software system a company uses seems to have no significant bearing on key controls; there is a very even distribution of ERP systems, and no one vendor appears to dominate any particular industry.

Share or bookmarklet this web page at: